Cisco Cisco Firepower Management Center 4000
28-2
FireSIGHT System User Guide
Chapter 28 Detecting Specific Threats
Detecting Portscans
To view the Back Orifice Detection page:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies> Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
Back Orifice Detection
under Specific Threat Detection is
enabled:
•
If the preprocessor is enabled, click
Edit
.
•
If the preprocessor is disabled, click
Enabled
, then click
Edit
.
The Back Orifice Detection page appears. A message at the bottom of the page identifies the intrusion
policy layer that contains the configuration. See
policy layer that contains the configuration. See
for more
information.
Step 5
Optionally, click
Configure Rules for Back Orifice Detection
at the top of the page.
A filtered view appears of Back Orifice preprocessor rules on the Rules page, where you can enable and
disable rules and configure other rule attributes. See
disable rules and configure other rule attributes. See
for more
information.
Note that you must set the rule state of preprocessor rules to Generate Events or, optionally, to Drop and
Generate events in an inline policy, if you want to the preprocessor to log intrusion events.
Generate events in an inline policy, if you want to the preprocessor to log intrusion events.
Click
Back
to return to the Back Orifice Detection page.
Step 6
Save your policy, continue editing, discard your changes, or exit while leaving your changes in the
system cache. See the
system cache. See the
table for more information.
Detecting Portscans
License:
Protection
A portscan is a form of network reconnaissance that is often used by attackers as a prelude to an attack.
In a portscan, an attacker sends specially crafted packets to a targeted host. By examining the packets
that the host responds with, the attacker can often determine which ports are open on the host and, either
directly or by inference, which application protocols are running on these ports.
In a portscan, an attacker sends specially crafted packets to a targeted host. By examining the packets
that the host responds with, the attacker can often determine which ports are open on the host and, either
directly or by inference, which application protocols are running on these ports.
Note that when portscan detection is enabled, you must enable rules on the Rules page with generator
ID (GID) 122 for enabled portscan types for the portscan detector to generate portscan events. A link on
the configuration page takes you to a filtered view of portscan detection rules on the Rules page, where
you can enable and disable rules and configure other rule attributes. See
ID (GID) 122 for enabled portscan types for the portscan detector to generate portscan events. A link on
the configuration page takes you to a filtered view of portscan detection rules on the Rules page, where
you can enable and disable rules and configure other rule attributes. See
and the
table for more information.